SSL Inspection TLS 1.2 Support?

[Infractal 2]

Is there a roadmap for adding TLS 1.2 support for SSL inspection? I would also like to see the following forward secrecy ciphers supported to match the Win8.1/10 schannel stack, along with the ability to configure the cipher and protocol config on clients so I can do things like disable RC4 ciphers for my enterprise clients.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

[Peter Randziak 948]

Hello,

 

TLS 1.2 is supported by our implementation of SSL Protocol checking.

 

Do you have any particular issues with it with current Internet protection module?

 

P.R.

[Infractal 2]

After doing a bit more digging, I am noticing that browsers are behaving differently. Qualys tests against IE11 doing SSL inspection show TLS 1.2 support, but Firefox 36 is only going up to TLS 1.1.

 

Is cipher customization a possibility? I'd really like to get those RC4 ciphers pulled out.

[Peter Randziak 948]

Hello,

 

yes you are right support for TLS 1.2 in Firefox will be included in Internet protection module 1181+ (not available for users yet).

We will release this module gradually for user, but we do not have any time frame specified yet.

 

P.R.

[chrcoluk 2]

you have ignored his question, why can you not add cipher control to the settings?

 

Also support for HSTS hxxp://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Public Key pinning hxxp://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

Plus manual verification of ceritifcates.

 

I think the HTTPS interception is messy and goes against good security practices.  Its better to just make it so livegrid can work without live http/https interception.